Startup Puts Container Security in a Container

Among the emerging solutions for securing application containers in production is an application layer security tool that is itself a container.

Startup NeuVector, which announced early stage venture funding this week, is pitching a cloud-native container firewall that seeks to secure application containers and their host networks at their most vulnerable points: during runtime.

San Jose-based NeuVector launched its container firewall at the beginning of 2017 and has been working with Amazon Web Services NASDAQ: AMZN, Docker, Red Hat (NYSE: RHT) and other infrastructure providers. The startup's founders previously worked for Cisco Systems (NASDAQ: CSCO), Fortinet (NASDAQ: FTNT) and VMware (NYSE: VMW).

As containers began ramping up, the primary security concerns focused on isolating application workloads from each other. As containers enter the mainstream, the startup argues they are as vulnerable to data breaches as virtual machines and other components.

NeuVector, which announced a $7 million Series A funding round on Tuesday (Nov. 7), is among a small but growing group of container security startups that include Aqua Security and Twistlock. According the web site Crunchbase, Tel Aviv-based Aqua Security has so far raised $38 million in venture funding while San Francisco-located Twistlock has attracted more than $30 million in early stage funding.

These and other startups are responding to emerging network security threats as enterprises rely more heavily on application container infrastructure to sustain continuous delivery. "Enterprises are increasingly tapping into the power of containers for application deployment—and the bad guys have taken notice," NeuVector CEO Fei Huang asserted.

The startup's approach applies "cloud-native intelligence" in the form of behavioral learning techniques along with tradition network and firewall security to automate container isolation. It focuses specifically on the application layer during a container runtime to isolate container traffic. The approach is designed to protect containers across the DevOps process from building, to shipping to runtime, and then scanning containers and infrastructure for threats as code is executed.

"The missing piece for mass adoption [of containers] is the runtime security," argued Lars Leckie, managing director Hummer Winblad Venture Partners, lead investor in NeuVector. The venture firm was an early investor in Mulesoft (NYSE: MULE), an enterprise API specialist that went public in March.

Among NeuVectors' twists on container security is using the micro-services technology itself as a way to automate security at the application layer. The startup claims its security container can be added to existing container infrastructure where it can use behavioral learning to "whitelist" normal container behavior. It then applies security policies that protect container traffic.

Firewalls can be deployed manually to protect, for example, Docker containers, but NeuVector maintains those steps are complicated. Hence, it promotes emerging cloud-native container firewalls that make it easier to deploy Docker container firewalls while also adding network and cloud security.

"A cloud-native Docker container firewall is able to isolate and protect workloads, application stacks and services, even as individual containers scale up, down or across hosts," NeuVector CEO Huang noted in a recent blog post.

George Leopold has written about science and technology for more than 30 years, focusing on electronics and aerospace technology. He previously served as executive editor of Electronic Engineering Times. Leopold is the author of "Calculated Risk: The Supersonic Life and Times of Gus Grissom" (Purdue University Press, 2016).